Exploit code used in the Mirai malware variant called Satori, which was used to attack hundreds of thousands of Huawei routers over the past several weeks, is now public. Researchers warn the code will quickly become a commodity and be leveraged in DDoS attacks via botnets such as Reaper or IOTrooper.
The code is the zero-day vulnerability CVE- 2017-17215 used by a hacker identified as “Nexus Zeta” to spread a variant of the Mirai malware called Satori, also known as Mirai Okiru.
“The fact that the code is now in the open means that more threat actors would now be using it. We can assume that the exploit would become commodity, and IoT botnets that attempt at exploiting a large kit of vulnerabilities will be adding CVE- 2017-17215 to their arsenal,” said Maya Horowitz, threat intelligence group manager, Check Point.
Since then Huawei issued an updated security notice to customers warning the flaw allows a remote adversary to send malicious packets to port 37215 to execute remote code on vulnerable routers.
The underlying cause was a bug related to SOAP, a protocol used by many IoT devices, Anubhav said. Earlier issues in SOAP (CVE-2014-8361 and TR-064 ) effected different vendors and was widely used by Mirai variants.
In the case of CVE-2017-17215, this zero day exploits how the Huawei router uses of the Universal Plug and Play (UPnP) protocol and the TR-064 technical report standard. TR-064 is a standard designed to make it easy to add embedded UPnP devices to a local network.
“In this case though, the TR-064 implementation in the Huawei devices was exposed to WAN through port 37215 (UPnP),” researchers wrote. The UPnP framework supports a “DeviceUpgrade” that can carry out a firmware upgrade action.
The vulnerability allows remote administrators to execute arbitrary commands by injecting shell meta-characters into the DeviceUpgrade process.
“After these have been executed, the exploit returns the default HUAWEIUPNP message, and the ‘upgrade’ is initiated,” Check Point researchers wrote.
The payload’s main purpose is to instruct the bot to flood targets with manually crafted UDP or TCP packets.
“The exploit code was already used by two major IoT botnets, Brickerbot and Satori, and now that the code is public it will be incorporated into different botnet strains,” Anubhav said.
Mitigation against attacks includes configuring a router’s built-in firewall, changing the default password or using firewall at the carrier side, Huawei said.
“Please note that users of this router are mostly home users, who do not typically log in to their router’s interface and don’t necessarily have the know-how, and so unfortunately I have to assume most devices would stay vulnerable,” Horowitz said. “We desperately need IoT device manufacturers to make security a top priority and not to leave the users accountable.”
The code is the zero-day vulnerability CVE- 2017-17215 used by a hacker identified as “Nexus Zeta” to spread a variant of the Mirai malware called Satori, also known as Mirai Okiru.
“The fact that the code is now in the open means that more threat actors would now be using it. We can assume that the exploit would become commodity, and IoT botnets that attempt at exploiting a large kit of vulnerabilities will be adding CVE- 2017-17215 to their arsenal,” said Maya Horowitz, threat intelligence group manager, Check Point.
Since then Huawei issued an updated security notice to customers warning the flaw allows a remote adversary to send malicious packets to port 37215 to execute remote code on vulnerable routers.
The underlying cause was a bug related to SOAP, a protocol used by many IoT devices, Anubhav said. Earlier issues in SOAP (CVE-2014-8361 and TR-064 ) effected different vendors and was widely used by Mirai variants.
In the case of CVE-2017-17215, this zero day exploits how the Huawei router uses of the Universal Plug and Play (UPnP) protocol and the TR-064 technical report standard. TR-064 is a standard designed to make it easy to add embedded UPnP devices to a local network.
“In this case though, the TR-064 implementation in the Huawei devices was exposed to WAN through port 37215 (UPnP),” researchers wrote. The UPnP framework supports a “DeviceUpgrade” that can carry out a firmware upgrade action.
The vulnerability allows remote administrators to execute arbitrary commands by injecting shell meta-characters into the DeviceUpgrade process.
“After these have been executed, the exploit returns the default HUAWEIUPNP message, and the ‘upgrade’ is initiated,” Check Point researchers wrote.
The payload’s main purpose is to instruct the bot to flood targets with manually crafted UDP or TCP packets.
“The exploit code was already used by two major IoT botnets, Brickerbot and Satori, and now that the code is public it will be incorporated into different botnet strains,” Anubhav said.
Mitigation against attacks includes configuring a router’s built-in firewall, changing the default password or using firewall at the carrier side, Huawei said.
“Please note that users of this router are mostly home users, who do not typically log in to their router’s interface and don’t necessarily have the know-how, and so unfortunately I have to assume most devices would stay vulnerable,” Horowitz said. “We desperately need IoT device manufacturers to make security a top priority and not to leave the users accountable.”